Testing for the coronavirus and communicating the results
It is important that we properly secure your data. We are careful with it, and we comply with laws such as the General Data Protection Regulation (GDPR).
Who works with your personal data?
GGD GHOR Nederland manages the CoronIT IT system for the GGDs. The GGDs are responsible for your personal data if you take a coronavirus test. We use this system to use and store your personal data. We follow all laws as we do this. This means that we handle your personal data properly and safely. We must also tell you what data we have about you, what we do with it, and who works with it. We share your data with the following organisations:
Did you make an appointment for a coronavirus test through the call centre, the coronatest website or a doctor? Then your personal data will be transferred to CoronIT. CoronIT is the administration system for the test process and communication. It lets the GGDs see whose test result it is. Normally, the GGD GHOR cannot see this unless there is a problem that our Service Desk needs to solve. Then we will be allowed to see this data for our Service Desk work. The picture below shows where your data goes.
What happens to your personal data?
We use your personal data to be able to run a coronavirus test. We also use it to tell the GGD and you about the test result. Would you like to know which personal data we ask for? And what else we use it for? Please take a look at the section below called What else do we use your personal data for? Here is a brief description of what happens to your personal data.
See below for more information about all of the steps.
STEP 1: You sign up for a test
You can make an appointment in 3 ways:
You can go to the coronatest website and tell us which symptoms you have. If you have symptoms that are related to coronavirus, we will ask you a number of questions. For example: have you been in contact with people who were infected with coronavirus?
You can then log in with your DigiD and choose a date, time and test location. We will also ask you for your phone number and email address. That way, we can send you confirmation and contact you if needed. You will receive confirmation of your test appointment by email and text message.
You can call the call centre to make an appointment. The employee at the call centre will register your personal data. Then they will make an appointment for your coronavirus test. You will receive confirmation of your test appointment by email and text message.
A doctor may check to see whether you need a coronavirus test. If you do, they will register your personal data. They will then book an appointment for your coronavirus test. You will receive confirmation of your test appointment by email and text message.
STEP 2: You take the test
The GGD does the coronavirus test. First, they look up your personal data in their administration system. Then they make sure that this data is linked to the test tube with your test and the barcode on it.
A GGD employee will do the test for you. They will put a cotton swab with cells from your nose and throat into the test tube.
STEP 3: Your test goes to the laboratory
The test tube is placed in safe packaging. A courier then takes the test tube to a laboratory.
STEP 4: They analyze your test
The laboratory will then analyse the coronavirus test. The result of this test might be:
The laboratory will enter the result in the administration system.
STEP 5: You get the result
The laboratory will tell the administration system which result belongs to which barcode. This links the barcode back to your personal data. Then you get the result. This can be done in the following ways:
STEP 6: Proof of negative test result
Have you been tested and do you want to be able to prove you have a negative test result? Or do you want proof of recovery or a vaccination certificate? You may need this to travel or go to an event. Then you can use the CoronaCheck application. You can get a QR code for your certificate in this app.
If you are not able to pick up a QR code in the CoronaCheck app, click here for more information.
Is your data incorrect? Or do you have questions about your data? The GGD GHOR Nederland’s back office can check your data and correct it if needed. Contact the back office at 0800-5090.
What else do we use your personal data for?
It is important that we know how many infections there are in the Netherlands and how many tests have been done. We use your data to find this out, but in a general, anonymous way. This means that we don’t see any of your personal data in the information. Your data might also be used for scientific research. This is also done anonymously, and it follows the rules that apply to scientific research.
We will ask you for your permission if we want to record your telephone conversation with a call centre employee. We will only record the conversation if you give us this permission. We use these recordings to help improve our work. We also use something called ‘automatic speech analysis’ to do this. Here’s how it works. The computer ‘listens’ to the recording of your telephone conversation and looks for specific words. This helps us to select recordings of telephone conversations to check. We check for things like employee fraud or employees who give medical advice when they shouldn’t. It also helps us understand why somebody was not able to make an appointment. This helps us to do our work better.
When do we send your data to other organisations?
In some situations we send data related to you to other organisations. Can people find out from this data that it is linked to you? Then we will only send it if you have given your permission. Or if the law says that we have to.
We send your data to these organisations:
What personal data do we use?
We need your personal data to run the coronavirus test properly. And to let you know the result.
These are the types of personal data we need from you:
You log in to the coronatest website with your DigiD. This will help you make your appointment securely. It will also let us know who is making the appointment. We will not be able to see your DigiD username or password.
Do you work in education or healthcare and can you make an appointment through the priority line? If so, we will ask for some extra information to verify this. This may include an AGB code or a BRIN number. If you don’t have the verification information we need, you will need to use 0800-1202 or make an appointment online.
What laws apply to the way we use your personal data?
The General Data Protection Regulation (GDPR) states that we can only use your personal data if we have certain reasons. These are called ‘valid’ reasons. The GDPR states that these valid reasons are: consent, agreement, legal obligation, vital interest, public task / public interest or legitimate interest.
We use your data to fight an infectious disease epidemic. This is a public task or a public interest task. The GGD is also required by law to record, check and follow up on data for these types of diseases. We have to report our test results to the National Institute for Public Health and the Environment (RIVM). This is stated in the Wet publieke gezondheid (translated here as Public Health Act).
The laws that apply here are:
We will only record the conversation with the call centre employee if you give us permission. We will ask you this before the conversation starts. The law that applies is GDPR Article 6, paragraph 1a and Article 9, paragraph 2a.
If you contact GGD GHOR Nederland’s back office to check the data used for your test certificates or proof of recovery, the telephone conversation will be recorded. We do this to make sure any complaints are handled properly. We record the conversations on the basis of Article 6, paragraph 1f of the GDPR.
How long do we keep your personal data?
We keep your personal data for a maximum of five years. This is allowed by the Wet publieke gezondheid (translated here as Public Health Act). After this time, we destroy the data or make it anonymous.
During the coronavirus test, an employee will use a cotton swab to remove cells from your nose and throat. This cotton swab is sent to a laboratory to be tested. How long the laboratory keeps the cotton swab depends on the result of the test:
We do not collect your DNA
We will ask for your permission if we want to keep your personal data longer. The only time we wouldn’t ask you this is if we need to keep it longer because of another law.
We keep recordings of conversations with the call centre for 14 days. We use them to check the quality of our work and handle complaints. We delete the recordings after 14 days. Sometimes, there is a complaint or problem related to the recording. If this happens within the 14 days, then we keep the recording until we have dealt with the complaint or solved the problem. We make reports based on the speech analysis of the recordings and keep these reports for up to 14 months. They don’t contain any personal data.
If you contact GGD GHOR Nederland’s back office to check the data used for your test certificates or proof of recovery, the telephone conversation will be recorded. We will keep the recording for 4 weeks.
How do we protect your personal data?
We think it is important to keep your personal data safe. To do that, we make agreements with the people and organisations that process the data for us. The agreements say what they can do with your data for us.
What else do we do?
What are your rights?
These are your rights under the law:
You can contact the GGD that performed your test for all of these situations.
Do you have questions or complaints about the use of your personal data?
Do you have questions or complaints about the use of your personal data? Please contact the Data Protection Officer at the GGD that performed your test. Every GGD has a Privacy Statement. This tells you who the Officer is.
Appendix 1 lists the website addresses for all GGDs.
You can also report a complaint to GGD GHOR Nederland. You can do this by sending your complaint to the GGD GHOR Nederland’s Data Protection Officer. The email address is firstname.lastname@example.org.
What can you do if you don’t agree with the outcome or the way we handled your complaint? Then you can send a complaint to the Dutch Data Protection Authority. You can do this at this website.
We will adjust this privacy statement as necessary. For example, if we have to change who processes personal data, or which personal data we use.
We last updated this statement on July 23, 2021.
Would you like to know which GGD belongs to your municipality? You can see this at www.ggd.nl.